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REMARKS 



A. INTRODUCTION 

Claims 30-50 are pending. In the final Office Action mailed on October 5, 2006, the 
Examiner rejected claims 30-33. 35. 38-41. 43, and 46-49 under 35 U.S.C. § 103(a) over 
U.S- Patent No. 6,691,232 to Wood, et al. ('"Wood") and U.S. Patent No. 6728,884 to Lim; 
and rejected claims 34., 36-37, 42, 44-45, and 50 under 35 U.S.C. § 103(a) over Wood, 
Lim, and Applicant Admitted Prior Art (AAPA), 



APPLICANTS TECHNIQUES 



Applicant's techniques are directed to determining an authentication methodology 
prior to a client requesting access to a server. A controlling client computer system 
provides (1) an instmction to a server. The instnjction indicates an authentication 
methodology that is to be used to authenticate a client computer system. After the server 
has received this instruction from the controlling client computer system, the server may 
receive (2) an access request from the client computer system. After receiving an access 
request from the client computer system, the server authenticates (3) the client computer 
system using the authentication methodology indicated by the instruction received from the 
controlling client computer system. 
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Unlike applicant's techniques, Wood describes a client requesting (1) access to a 
server's applications and/or resources prior to determination of an authentication 
methodology (col. 7, lines 34-40). After a client has requested access to the server, the 
server, via a login component, provides (2) the client with a list of suitable authentication 
schemes, from which the client may select (col. 11, lines 34-38). The client then selects 
(3) an authentication scheme and the server authenticates the client using the selected 
scheme. 
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Unlike applicant's techniques, Lim also describes a client requesting (1) access to a 
server prior to determination of an authentication methodology (col. 5, lines 18-23, 30-31, 
45-49). After the client has requested access to the server, the access server requests (2) 
authentication of the client from the authentication and authorization server. The access 
server may transmit to the authentication and authorization server any authentication 
infbnmation received from the client, including user id. password, and a list of the remote 
security servers that can authenticate the user (coL 5, lines 63-67). The authentication 
and authorization server initially authenticates (3a) the client through use of the remote 
security server. Data received from a remote security sen/er is stored (4c) in the registry 
server for later use (3b) by the authentication and authorization sen/er for subsequent 
authentication of the client without having to use the remote security server. The remote 
security server manages authentication profiles of clients and may authenticate a user 
based on the user id and password supplied by the client (coL 4> lines 31-32). The registry 
server is a central repository that contains authentication profiles of clients, including user 
id and password (col. 6, lines 1 1-19). Once rt receives (4a and 4b) a result from either the 
remote security server or the registry sen/er, the authentication and authorization sen/er 
returns (5) information to the access sen/er that indicates whether the client is authorized 
and what are its access rights (col.5, line 67 - col. 6, line 3). Data representing the clienrs 
access rights is stored (6) in a cookie in the client's browser. 

E. PRIOR ART REJECTIONS 

Claims 30-50 stand rejected over Wood and Lim alone or in combination with 
AAPA, under 35 U.S.C. § 103(a). Applicant respectfully traverses this rejection. 

All of the claims are directed to a server being provided with an instruction from a 
controlling client computer system (or controlling entity) prior to the server receiving a 
request from a client computer system (or client entity) to access a service of the server. 
In addition, all of the claims are directed to said instmctlon indicating an authentication 
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methodology, said authentication methodology being selected from multiple authentication 
methodologies- Claims 30-37 recite: 

A method in a server computer of authenticating client computer 
systems, the method comprising: 

receiving from a controlling client computer system an instruction that 
indicates an authentication methodology that is to be used to 
authenticate a client computer system the authentication 
methodology being selected from multiple authentication 
methodologies 

after receiving the instruction, receiving a request from the client . 
computer system to access a service of the server computer 
system; 

Claims 38-45 recite: 

A method in a controlling client computer system for providing 
indications of authentication methodologies to a server computer system, the 
method comprising: 

generating an instnjction that indicates an authentication methodology 
that is to be used to authenticate a client computer system 
the authentication methodology being selected from multiple 
authentication methodologies and 

sending the generated instmction to the server computer system so 
that upon receiving a request from the client corhputer system 
to access a service of the server computer system after the 
instruction is received at the server computer system .... 

Claims 46-50 recite: 

A tangible computer-readable medium containing instructions for 
controlling a server computer system to authenticate entities, by a method 
comprising: 

receiving from a controlling entity an instruction that indicates an 
authentication methodology that is to be used to authenticate 
an entity, the authentication methodology being selected from 
multiple authentication methodologies . . .; 
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after receiving the instruction from the controlling entity, receiving a 
request from the entity to access a service of the server 
computer system; ... 

Neither Wood nor Lim teaches or suggests a server being pn^vided with an 
Instruction from a controlling client computer system (or controlling entity) prior to the 
server receiving a request from a client computer system (or client entity) to access a 
service of the server. In contrast Wood and Lim both describe a client first requesting 
access to a server (Wood. coL 7, lines 34-40; Urn, col. 5, lines 18-23, 30-31, 45-49). The 
Examiner believes that Wood does not require a client to first request access to a server. 
The Examiner stated: 

Wood did not explicitly disclose the access request is received after the 
authentication instnjction. however. Wood does state it is not necessary for 
the user to request access before determining suitable authentication 
methods (see col 1 1 lines 23-29), This implies the claimed order because 
requesting access to a resource is necessary before accessing the resource. 

Wood does describe a situation in which a user does not request access to any particular 
information resource: 

If there is no particular resource for which access is being requested (e.g., if 
a user jumps straight to a sign-on page without requesting an access), the 
service will proceed according to the lowest level of trust available consistent 
with session environment. 

(col. 11. lines 23-28, emphasis added). However, in such a case, the user is still 
requesting access to the "service" of the server. Wood defines access as "presenting a 
URL to gatekeeper/entry handler component, which acts as a point of entry for client 
entities requesting applications and/or resources controlled by the security architecture" 
(coL 7, lines 34-40), When the client submits the URL of the sign-on page, it is requesting 
access to the service of the server, even if not to a particular information resource. 
Because the client has not yet requested an information resource, for which there is an 
associated trust level, the server may proceed to its service according to the lowest level of 
trust (col. 1 1 , lines 23-29), Further, under Wood the authentication methodology cannot be 
chosen prior to a client requesting access, because the client must select an 
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aLrthentication methodology from a list of suitable methodologies provided to it by the 
server (via the login component) (col. 1 1 . lines 34-51). This must necessarily occur after a 
client has requested access to the server, establishing communication with the sen/er. 
Thus, Wood does not teach or suggest after receiving an instruction that indicates the 
authentication methodology, receiving or sending "a request ... to access a service." 

Like Wood, but unlike applicant's techniques, Lim describes a user first requesting 
access to a server (col. 5, lines 18-23, 30-31, 45-49). In addition, Lim does not disclose 
selecting an authentication methodology from multiple authentication methodologies based 
on the abilities and access rights of the client Lim describes use of only one 
authentication methodology, one that is based on user id and password. The Examiner 
stated that "Lim disclosed a Registry Server containing information on how a user should- 
be authenticated." However, this information is simply an authentication profile that may 
include user id, password, and a list of the remote security servers that can authenticate 
the user (col.6, lines 12-19). Lim uses the user id and password provided by a client to 
determine, using a single authentication methodology (whether via a remote security 
server or the registry server), the access rights had by the user. Lim describes access 
rights that are established as a result of the authentication process, in contrast to 
applicant's techniques, which are directed to a client's access rights assisting in 
determining the authentication methodology selected. Thus, Lim does not teach or 
suggest selecting an authentication methodology from multiple authentication 
methodologies based on the abilities and access rights of the client; nor does Lim teach or 
suggest after receiving an instruction that indicates the authentication methodology, 
receiving or sending "a request ... to access a service." 

Based on the foregoing, all of the claims are patentable. 
F. CONCLUSION 
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In view of the above remarks, applicant believes the pending application is in 
condition for allowance and respectfully requests reconsideration. If the Examiner has any 
questions or believes a telephone conference would further expedite prosecution of this 
application, the Examiner is encouraged to call the undersigned at (206) 359^8548. 

Dated: Respectfully submitted, 



By 

Maurice J. Pirio 

Registration No.: 33,273 
PERKINS COIE LLP 
P.O. Box 1247 

Seattle. Washington 981 1 1 -1 247 
(206) 359-8548 
(206) 359-9548 (Fax) 
Attorney for Applicant 
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